Public key encryption with digital signature scheme

ABSTRACT

An improved encryption and digital signature system and method in accordance with the invention reuses an encryption ephemeral key pair from an encryption process in a digital signature process. The reuse of the encryption ephemeral key pair in the digital signature process advantageously results in reduced byte size of the digital signature and reduction of costly computation overhead. In a preferred embodiment, the invention is based on the El Gamal encryption scheme and the Nyberg-Rueppel signature scheme. The present invention is particularly useful for operation in conjunction with small communication devices having limited processing and storage, wherein such devices may communicate via bandwidth sensitive RF links.

BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates to the field of public-key cryptography. Morespecifically, it is directed to a combined and improved public keyencryption and digital signature scheme.

2. Background of the Invention

Cryptography essentially provides confidentiality, authentication,integrity and non-repudiation for communication between differentparties over public communication channels.

In a public-key scheme, each user has a key pair consisting of a publickey that is made publicly available, and a private key that is keptsecret. The two keys are related by a hard one-way function, so as tomake it infeasible to determine the private key from the public key. Thepublic-key scheme allows a signature in the form of a digital signatureto accompany a message.

In the public-key environment, there are preferably three majorprocesses. First, there is the certification process. A certificateauthority creates a certificate that binds a user identity to the publickey. A certificate repository provides a database of certificates wherethe public can access and retrieve the public key information ofparticipants. In addition, there is a registration authority that actsas an assistant to the certificate authority. In essence, theregistration authority is used to validate the binding. The secondprocess is the encryption scheme that essentially converts a plaintextmessage into a ciphertext message. The third process is a digitalsignature process. The present invention relates specifically to thelatter process and how it may be combined with the encryption process.

A digital signature is a cryptographic primitive that provides a meansfor a user or an entity to bind its identity to a piece of information.A digital signature of a message is a sequence of bytes dependent onsome secret known only to the signer, and, additionally, on the contentof the message being signed. Such signatures must be verifiable, if adispute arises as to whether a party signed a document. The process ofsigning entails transforming the message and a key unique to aparticular user into a tag called a digital signature. A digitalsignature may be used to prove the identity of the sender and theintegrity of data. To verify the digital signature, a recipient of adigitally signed message can use a verification rule associated with thedigital signature scheme. Any attempt to modify the contents of themessage or forge a signature will be detected when the signature isverified.

Each of the above stages requires a certain degree of undesirablecomputational processing and a certain degree of byte-size overheadassociated in the transmission of a communication to make the overallpublic-key process secure.

Therefore, there remains an on going desire to reduce the additionalbyte and processing overhead associated with the public-key system whileat the same time, not reducing the effectiveness of the public-keysystem.

SUMMARY OF THE INVENTION

It is an object of the invention to reduce some of the drawbacks of theprior art public-key systems.

It is an object of the invention to reduce computational processingassociated with public-key schemes.

It is an object of the invention to reduce byte-size overhead associatedwith the transmission of the digital signature.

It is a further object of the present invention to provide a public keyscheme with an improved encryption and digital signature scheme. Theimproved encryption and signature scheme can work in any finite cyclicgroup, such as a group of points on an elliptic curve over a finitefield.

More specifically, in the present invention, there is provided animproved encryption and digital signature scheme that reuses anephemeral key pair from the encryption process in the signature process.Advantageously, the reuse of the ephemeral key allows the digitalsignature to be reduced in byte size. Another advantage is that costlycomputation may be avoided.

According to the invention, a public-key encryption process comprisesthe steps of encrypting a plaintext message into a ciphertext message,the encrypting step includes the step of producing an ephemeral keypair, and signing a digital signature using the ephemeral key pair.

In another inventive aspect, a public-key encryption system comprisesmeans for encrypting a plaintext message into a ciphertext message, theencrypting means producing an ephemeral key pair, and means for signinga digital signature using the ephemeral key pair.

A further aspect of the invention involves a software program on acomputer-readable storage medium, which when executed by a processorperforms a public-key encryption process comprising the steps ofencrypting a plaintext message into a ciphertext message, the encryptingstep includes the step of producing an ephemeral key pair, and signing adigital signature for the ciphertext message using the ephemeral key.

In a preferred embodiment described herein, the invention is based onthe El Gamal encryption and Nyberg-Rueppel signature schemes. Otherencryption and digital signature schemes are all well within the scopeof the invention.

In the inventive process, system or software program, the ephemeral keypair may be produced by generating an encryption ephemeral private key xand calculating an encryption ephemeral public key X=xG, where G is agenerator. According to a further preferred embodiment, the digitalsignature comprises a first value r and a second value s, and theencryption ephemeral public key X, the ciphertext message and the secondvalue s of the digital signature are transmitted from a sender to areceiver. At the receiver, the transmitted ciphertext message isdecrypted, the first value r of the digital signature is calculatedusing the decrypted message and the transmitted encryption ephemeralpublic key X and the digital signature is validated based on thecalculated first value r and the transmitted second value s.

With respect to the notation adopted herein and described below, theimproved digital signature scheme uses the value of x, an encryptionephemeral key, for the value of z, a signature ephemeral key, instead ofgenerating a random value for z, as in the prior art. Consequently, thetransmitted digital signature of the present invention comprises a values. A value of r, which according to conventional methods must betransmitted with the message, is instead reconstructed on the recipientend based on given values in the sender's transmission. In this improvedscheme the overall combined El Gamal encryption scheme and theNyberg-Rueppel digital signature scheme is optimized for fastercomputation time and lower overhead bandwidth. In particular, thecomputation of Z=zG is avoided by the sender in the digital signaturestage and the byte-size overhead associated with the digital signaturetransmission is reduced.

The present invention is preferably configured to operate in conjunctionwith small devices having limited processing and storage such as thosedisclosed in co-pending U.S. patent application Ser. No. 09/106,585titled “Hand-Held Electronic Device With a Keyboard Optimized for UseWith The Thumbs”, the disclosure of which is hereby incorporated intothis disclosure by reference. Other systems and devices in which theinvention may be implemented include, but are not limited to, wirelesscommunication systems, wireless hand-held communication devices,personal digital assistants (PDAs), cellular phones and two-way pagers.

The present invention addresses specific dilemmas faced in electroniccommunication devices that are both bandwidth and computation loadsensitive.

Further features of the invention will be described or will becomeapparent in the course of the following detailed description.

BRIEF DESCRIPTION OF THE DRAWINGS

In order that the invention may be more clearly understood, thepreferred embodiment thereof will now be described in detail by way ofexample, with reference to the accompanying drawings, in which:

FIG. 1 is a functional diagram of a prior art El Gamal public-keyencryption scheme;

FIG. 2 is a functional diagram of a prior art Nyberg-Rueppel digitalsignatures scheme;

FIG. 3 is a functional diagram of a prior art public-key systemcombining the schemes illustrated in FIGS. 1 and 2;

FIG. 4 is a functional diagram of the present invention's public-keysystem with an improved digital signature scheme; and

FIG. 5 is a block diagram of a communication system in which theinvention could be implemented.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT Notation Explanation

For clarity of the detailed description, the notation used herein is nowdefined. In the improved encryption and digital signature scheme to bedescribed, any finite cyclic group, such as the group of points on anelliptic curve over a finite field is suitable for its application. Inthe preferred embodiment described herein, the present invention isbased on combining the El Gamal encryption scheme and the Nyberg-Rueppeldigital signature scheme. Other encryption and digital signature schemesare all well within the scope of the invention.

Upper case letters, such as A, B, G, K, Q, X, Z, denote group elements.An upper case G throughout this description is a generator of the groupand has order n. Lower case letters, such as a, b, h, r, s, x, z, denoteintegers modulo (mod) n. An upper case letter with an asterisk, such as.Z*, denotes the conversion of a corresponding group element, i.e. Z, toan integer. For elliptic curves, Z=(x,y) and Z* is usually derived fromthe x of Z. The group operation is denoted by ‘+’ and aA=A+A+ . . . +A,a times. In addition, ciphertext=encrypt (K, message) denotes asymmetric key encryption function that encrypts a plaintext messageusing a key derived from a group element K and returns the correspondingciphertext. Likewise, message=decrypt (K, ciphertext) denotes asymmetric key decryption function that decrypts a ciphertext using a keyderived from a group element K and returns the corresponding plaintextmessage. Finally, h=hash (message) denotes a cryptographically securehash function that hashes a message to an integer modulo n.

The detailed description now follows with reference to FIGS. 1-5. In thefunctional diagrams of FIGS. 1-4, time is represented as increasing fromthe top to the bottom of the diagrams, as indicated by the “t” arrow atthe top of each diagram.

FIG. 1 is a schematic of the prior art El Gamal public key encryptionscheme 10. An encrypted message exchange between a notional sender,Alice 20, and a notional recipient, Bob 30 is illustrated therein. In acertification stage 40, Bob randomly generates private key b andcomputes public key B=bG, as shown at 12. For the purposes of thisdescription, it is assumed that Alice has Bob's authentic public key B.A certification authority, if used, validates a public key by creatingand issuing a certificate. Alice may receive Bob's certificate 14directly from Bob, or from a publicly accessible public key repository.Alice verifies that the signature on the certificate is correct, andthat the certificate has not expired or been revoked. If thoseconditions are satisfied, then the public key B in the certificate 14may be trusted.

In the illustrated encryption process 10, the sender Alice performs theprocessing indicated in block 16. A random integer x, known as anencryption ephemeral private key is generated and an encryptionephemeral public key X=xG is calculated. X and x comprise an encryptionephemeral key pair. Alice then generates a secret encryption keyK=xB=xbG and encrypts her plaintext message 18 with secret key K 20. Theencryption ephemeral public key X and ciphertext message 22 are thentransmitted to Bob. Bob then calculates secret key K=bX=bxG=xbG=xB anddecrypts the ciphertext 22 back into plaintext message 18. This keyagreement scheme is a protocol by which a pair of users, communicatingover an insecure channel, may independently calculate the same secretkey from publicly communicated values.

FIG. 2 is a schematic of the prior art Nyberg-Rueppel digital signaturescheme 60. In this scheme, Alice randomly generates private key a andcomputes public key A=aG (see block 24). Similar to the scheme of FIG.1, it is assumed that Bob has obtained Alice's authentic public keyeither directly from Alice or through a certificate 26 from acertification authority or public key repository. As shown in FIG. 2, ahash value h 32 is created from the message using a hash function. Anephemeral signature key pair (Z, z) is produced by randomly generatingephemeral signature private key z 34 and calculating ephemeral publickey Z 36, where Z=zG. The digital signature 38, comprising values r=Z*+hmod n and s=z−ar mod n, are calculated and transmitted with message 18to Bob.

This scheme requires the message 18 as input into the signature andverification algorithms 42. The verification portion of the schemeverifies a signature with Alice's public key A, given the digitalsignature 38 comprising integers r, s and the message 18. The recipientverifies the message by creating the hash value h 32 using the same hashfunction and processing it with Alice's public key. The verificationoutput is compared with the received signature r, s to determine itsvalidity, as shown in block 42.

FIG. 3 is illustrative of a traditional prior art public key encryptionscheme using the El Gamal public key encryption scheme and the NybergRueppel digital signature scheme. In this scheme 80, there are threemain stages to a public key encryption scheme. First, there is apreliminary certification scheme 40, during which Alice and Bob obtaineach other's authentic public key A and B. Second, there is anencryption process 50. Third, there is a digital signature scheme 70. Asthe El Gamal and Nyberg-Rueppel schemes have been described separatelyabove, a detailed description of the combined encryption/signaturescheme in FIG. 3 will not be pursued. However, it is highlighted thatthe signature ephemeral private key z 34 is randomly generated by thesender, the signature ephemeral public key Z 36 is computed by thesender and the transmitted digital signature 38 comprises the integers rand s. The values of r and s representing the transmitted digitalsignature 38 are transmitted with the encryption public key X and theciphertext in the prior art.

There are, however, some undesirable characteristics associated withthis prior art approach. Firstly, computational resources and time areconsumed where Z is calculated with large bit numbers. Secondly, thebyte-size overhead associated with the public-key transmittedinformation is undesirably large for bandwidth sensitive devices such aswireless communication devices. The present invention addresses thesetwo undesirable qualities.

FIG. 4 illustrates an overview of a preferred embodiment of the presentinvention. Like the prior art, there are three main stages to thepreferred embodiment of the present invention, namely the certification40′, encryption 50′ and digital signature 70′ stage.

In the certification stage, Alice generates a long term random privatekey a and computes public key A, where A=aG. Likewise, Bob randomlygenerates private key b and computes public key B, where B=bG. Asdescribed above in relation to FIGS. 1-3, Alice and Bob exchangeauthentic public keys A and B directly, through a certificationauthority or through a public key repository

In the encryption stage 40′, Alice generates an encryption ephemeralprivate key as random integer value x and computes a correspondingencryption ephemeral public key X, where X=xG. As described above, theset (X, x) represents the ephemeral key pair produced in the encryptionscheme. With this information, Alice uses Bob's public key B to computesecret key K 20, given by K=xB. Alice then encrypts the messageproducing ciphertext=encrypt (K, message) 22.

The present invention outlined in FIG. 4 deviates from the prior artscheme of FIG. 3 in several important aspects. The improved digitalsignature scheme of the present invention uses the encryption ephemeralkey pair (X, x) produced in the encryption stage 50′ as a substitute forthe signature ephemeral key pair (Z, z) required in the digitalsignature stage 70′. The value of signature ephemeral private key z 34′is set to the value of encryption ephemeral private key x from theencryption stage. Consequently, the random generation of z and thecomputation of Z 36′ are not required since signature ephemeral publickey Z 36′ equals encryption ephemeral public key X 20. Advantageously,this reduces the computational load on the sender. In essence, the valuefor x is used for two different purposes. In the first instance, x isused for the encryption process scheme 50′. In the second instance, thex is also used in the digital signature scheme 70′.

After transmission of the encryption public key X 20, ciphertext 22 andsignature s 38′, Bob may then calculate secret key K=bX and then decryptthe message by message=decrypt (K, ciphertext). The digital signaturescheme then preferably hashes the message 40 to calculate h, asindicated in block 42′. Two pieces of information for the digitalsignature still need to be computed, namely integers r and s. Theintegers are calculated as follows: r=Z*+h mod n=X*+h mod n and s=z−armod n=x−ar mod n. However, only s in addition to the encryptionephemeral public key X and the ciphertext must be transmitted to Bob inthe inventive scheme 80′. Rather than r being transmitted to Bob, r isinstead reconstructed at the receive side by calculating r=X*+h mod n.In this manner, the overall byte-size overhead associated with thedigital signature 38′ is reduced by not transmitting r. In a specificembodiment of the invention, the saving was in the range of twenty-twobytes. In portable two-way wireless communication devices, reducing thetransmission by twenty-two bytes is considerably useful andadvantageous.

The inventive encryption and signature scheme outlined in FIG. 4 wouldpreferably be implemented in software in a communication system. Theblock diagram in FIG. 5 represents one such system 100 in which theinventive scheme could be used. In FIGS. 5, 110, 112 and 114 arecommunication devices and 116 is certification authority or public keyrepository. In order for the devices to communicate using the inventivescheme, each device must first exchange authentic public keys with theother device or devices with which communication is desired. As shown inFIG. 5 and described above, each device may communicate with acertification authority or public key repository 116 or with each otherto accomplish public key exchange. Each communication device mayincorporate software or hardware to perform the inventive encryption andsignature scheme. Communication devices 110, 112 and 114 may be wired orwireless communication devices. This invention has particularapplication in, but not limited to, Personal Digital Assistants, mobilecommunication devices, cellular phones, two-way pagers and wirelesstwo-way e-mail communication devices. One such illustrative device thatmay implement the present invention is disclosed in co-pending U.S.patent application Ser. No. 09/106,585, referenced above. In analternative embodiment of the present invention, a system disclosed inFIG. 2 of PCT/CA99/00494 titled “System and Method for PushingInformation From a Host System to Mobile Data Communication Device”, thespecification of which is hereby incorporated by reference into thepresent disclosure, may implement the present invention. In all suchsystems, a typical system for which the present invention isparticularly useful is a low bandwidth system such as one that utilizesan RF link in the communication path. The system and method of pushinginformation from a host system to a mobile described in the latterapplication is only one preferred system and method for the presentinvention herein; however, it is to be understood other types of systemsand methods could be implemented that utilizes the present invention.

It will be appreciated that the above description relates to a preferredembodiment by way of example only. Many variations on the invention willbe obvious to those knowledgeable in the field, and such obviousvariations are within the scope of the invention as described andclaimed, whether or not expressly described. For instance, theaforementioned process could obviously be extended to include multiplerecipients from a single sender.

We claim:
 1. A public-key decryption process, comprising: receiving froma sender (1) a public key of a key pair that is used for a singlemessage, and (2) a second value s of a digital signature that wasgenerated using the key pair, the digital signature comprising a firstvalue r and the second value s; calculating the first value r of thedigital signature using the public key; and validating the digitalsignature based upon the calculated first value r and the receivedsecond value s.
 2. The public-key decryption process of claim 1, whereina ciphertext message that was encrypted using the key pair is alsoreceived from the sender.
 3. The public-key decryption process of claim2, wherein validating the digital signature comprises hashing aplaintext message that is encrypted within the ciphertext message. 4.The public-key decryption process of claim 1, wherein the key pair wasproduced by: generating a private key x; and calculating the public keyX=xG in a finite cyclic group having G as a generator.
 5. The public-keydecryption process of claim 4, the process comprising decrypting aciphertext message received from the sender into a plaintext message by:generating a secret key K=bX; and decrypting the ciphertext messageusing the secret key K to generate the plaintext message.
 6. Thepublic-key decryption process of claim 5, wherein the sender used theprivate key x as a signature private key and used the public key X as asignature public key to generate the digital signature.
 7. Thepublic-key decryption process of claim 4, the process comprisingdecrypting a ciphertext message received from the sender into aplaintext message by: generating a secret key K by calculating one of:bX, bxG, xbG, and xB; and decrypting the ciphertext message using thegenerated secret key K.
 8. The public-key decryption process of claim 1implemented in a wireless communication system, wherein at least a twostage public-key decryption process is used, wherein a first stageincludes key establishment and the second stage includes decryption, andwherein decrypting a plaintext message and validating the digitalsignature are performed during the second stage.
 9. The public-keydecryption process of claim 1, further comprising: at a sender,generating a sender private key a; and calculating a sender public keyA=aG, where G is a generator; and at a receiver, generating a receiverprivate key b; and calculating a receiver public key B=bG, wherein thesender obtains an authentic copy of the receiver public key B and thereceiver obtains an authentic copy of the sender public key A.
 10. Acommunication device, comprising: a computer-readable memory encodedwith software instructions; and wherein: the communication device isconfigured to receive from a sender (1) a public key of a key pair thatis used for a single message, and (2) a second value s of a digitalsignature that was generated using the key pair, the digital signaturecomprising a first value r and the second value s; the communicationdevice is configured to calculate the first value r of the digitalsignature using the public key; and the communication device isconfigured to validate the digital signature based upon the calculatedfirst value r and the received second value s.
 11. The communicationdevice of claim 10, wherein the communication device is furtherconfigured to hash a plaintext message encoded within a ciphertextreceived from the sender when validating the digital signature.
 12. Thecommunication device of claim 10, wherein the communication device isfurther configured to generate a secret key K=bX where b is a receiverprivate key; and wherein the communication device is further configuredto decrypt a ciphertext message using the secret key K.
 13. Thecommunication device of claim 10, wherein the communication device isfurther configured to generate a secret key K by calculating one of: bX,bxG, xbG, and xB where b is a receiver private key, B is a receiverpublic key, x is a private key of the key pair that is used for a singlemessage and G is a generator; and wherein the communication device isfurther configured to decrypt a ciphertext message using the secret keyK.
 14. The communication device of claim 10, wherein the communicationdevice is further configured to: generate a receiver private key b;calculate a receiver public key B=bG, where G is a generator; and obtainan authentic copy of the sender public key A.
 15. A wireless device fordecrypting data, comprising: a data processor; a computer-readablememory encoded with instructions for commanding the data processor toexecute steps including: receiving from a sender (1) a public key of akey pair that is used for a single message, and (2) a second value s ofa digital signature that was generated using the key pair, the digitalsignature comprising a first value r and the second value s; calculatingthe first value r of the digital signature using the public key; andvalidating the digital signature based upon the calculated first value rand the received second value s.
 16. The wireless device of claim 15,wherein the computer-readable memory is further encoded withinstructions for commanding the data processor to execute stepsincluding hashing a plaintext message encoded within a ciphertextmessage received from the sender when validating the digital signature.17. The wireless device of claim 16, wherein the computer-readablememory is further encoded with instructions for commanding the dataprocessor to execute steps including: generating a secret key K=bX whereb is a receiver private key; and decrypting the ciphertext message usingthe secret key K.
 18. The wireless device of claim 16, wherein thecomputer-readable memory is further encoded with instructions forcommanding the data processor to execute steps including: generating asecret key K by calculating one of: bX, bxG, xbG, and xB where b is areceiver private key, B is a receiver public key, x is a private key ofthe key pair that is used for a single message and G is a generator; anddecrypting the ciphertext message using the secret key K.
 19. Thewireless device of claim 15, wherein the computer-readable memory isfurther encoded with instructions for commanding the data processor toexecute steps including: generating a receiver private key b;calculating a receiver public key B=bG, where G is a generator; andobtaining an authentic copy of the sender public key A.